SystemUI As EvilPiP: The Hijacking Attacks on Modern Mobile Devices

Activity Hijack Attack (HA) is a technique where malware injects malicious content into trusted applications by seizing foreground control

Three key requirements for successful HA attacks:

• Ability to start activity from background
• Ability to detect runtime state from background
• Ability to run persistently in background

Google implemented several security policies to prevent HA:

• Runtime state leaking restrictions
• Background execution limitations
• Permission Access Level (PAL) restrictions

Picture-in-Picture (PiP) vulnerabilities can be exploited to bypass restrictions:

• Abnormal PiP window sizing can be used to create invisible windows
• System considers PiP windows as visible even when minimized
• PiP windows can maintain high priority status

Key bypass techniques discovered:

• Using accessibility services and system services to gain elevated privileges
• Exploiting account manager bindings
• Manipulating out-of-memory ADJ scores
• Creating system window types with higher z-index values

Vulnerable applications targeted through:

• Background service binding
• Activity launch chain manipulation
• Window container transition objects
• Surface control transitions

Attack is particularly effective because:

• Requires no dangerous runtime permissions
• Can be undetectable to users
• Works across multiple Android versions
• Can target sensitive applications like banking apps

Multiple CVEs discovered related to PiP and SystemUI vulnerabilities across Android versions 32-34